IT security firm Trustwave has been accused of failing to properly investigate the card breach suffered by the Las Vegas-based casino operator Affinity Gaming in 2013.

Affinity Gaming filed a complaint in the district court of Nevada in December alleged Trustwave of misrepresenting themselves and failed to perform the adequate investigation, identify the breach, and falsely misinform them about the correction of the breach.

In December 2013, Affinity Gaming suffered a security breach that penetrated their payment card systems. They called Trustwave to investigate the matter.

According to the complaint filed “Trustwave informed the company that the malware was removed from its systems and that the breach was contained.”

After Trustwave completed its investigation, Affinity Gaming called Ernst & Young to conduct penetration testing. While penetration testing testers identified suspicious activity associated with a piece of malware.

Now Affinity Gaming called FireEye-owned forensic specialist Mandiant for further investigation.

The complaint was filed based on the latest investigation done by Mandiant.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

This Trojan is attached to emails as an archive file. Once it is downloaded and decompressed, the archive file starts executing a JavaScript file that downloads and installs the actual malware executable, a .NET binary.
It is notion that the archive file does not contain the malware, so the antivirus products fails to flag the danger. .Net binary is also not detected because of the digital certificate that is issued by SBO INVEST via DigiCert.

According to Zscaler Spymel infections was first detected in early December 2015. As soon as they informed the case to DigiCert and had the certificate revoked. But the group behind Spymel quickly updated their certificate
.
Spymel can act like a malware payload downloader , make screenshots of a user's desktop, record videos of the desktop, log keystrokes, and upload stolen data to a remote server.

Spymel is a perfect example of malware, where malware can use archive files boobytrapped with JavaScript code and digital certificates to hide.

Someone has made a device that costs $10 which could steal credit
card information when anyone has lost his credit card and applied for a new card. And before he gets it, the device helps hacers to steal or at least guess the credit card number.

The device dubbed MagSpoof was made by Samy Kamkar. The
device can predict and store hundreds of American Express credit card numbers,
allowing anyone to use them for wireless payment transactions, even at
non-wireless terminals.

According to the hackers, MagSpoof can spoof any magnetic
stripe or credit card entirely wirelessly, it also disable chip and PIN (EMV)
protection and accurately predict the card number and expiration date on
American Express credit cards.

“MagSpoof can be used as a traditional credit card and
simply store all of your credit cards (and with modification, can technically
disable chip requirements) in various impressive and exciting form factors, or
can be used for security research in any area that would traditionally require
a magstripe, such as readers for credit cards, drivers licenses, hotel room
keys, automated parking lot tickets, etc,” Kamkar said in a blog post.

MagSpoof emulates a magnetic stripe by quickly changing the
polarization of an electromagnet, producing a magnetic field similar to that of
a normal magnetic stripe as if it's being swiped. The magstripe reader requires
no form of wireless receiver, NFC, or RFID. MagSpoof works wirelessly, even
with standard magstripe readers. The stronger the electromagnet, the further
away you can use it.

The device actually guesses the next credit card numbers and
new expiration dates based on a cancelled credit card's number and when the
replacement card was requested respectively. This process does not require the
three or four-digit CVV numbers that are printed on the back side of the credit
cards.

The hacker has notified American Express and said the
company is fixing the flaw.

FBI has refused an accusation of paying at least $1 million
to Carnegie Mellon University (CMU) researchers to infiltrate Tor, a free
software implementation of second-generation onion routing that enables its
users to communicate anonymously on the internet.

The intelligence agency told Ars Technica, that these
accusations of paying the security researchers of the university to disclose
the Tor users as well as Reveal their IP addresses as part of a criminal
investigation was 'inaccurate'.

"The allegation that we paid (Carnegie Mellon
University) $1 million to hack into Tor is inaccurate," the FBI said.

However, the Tor Project team had discovered last year in
July that more than hundred new Tor relays that modified Tor protocol headers
to track people who were looking for Hidden Services, web servers hosted on Tor
that offers more privacy.

The attackers used a combination of nodes and exit relays
along with some vulnerabilities in the Tor network protocol that let them
uncovered users' real IP addresses.

After discovering the flaws, the team updated its software
and rolled out new versions of code to block similar attacks in the future. But,
during that time the team could not find the hackers behind the flaws.

“We teach law enforcement agents that they can use Tor to do
their investigations ethically, and we support such use of Tor -- but the mere
veneer of a law enforcement investigation cannot justify wholesale invasion of
people's privacy, and certainly cannot give it the color of "legitimate
research," the Tor team said in a blog post.

"Whatever academic security research should be in the
21st century, it certainly does not include "experiments" for pay
that indiscriminately endanger strangers without their knowledge or consent,"
the post added.

Now, the Tor claims to have patched the vulnerabilities but
this doesn't solve the core problem.

Some people are blaming Office of Personnel Management (OPM),
which serves as a sort of human resources department for the federal
government, some are saying unchangeable
biometrics and others are blaming Chinese hackers behind the massive breach in U.S of the
OPM’s servers during which fingerprints of 5.6 million people were stolen.

No matter, what was the reason but the tension is about
those millions people whose fingerprints have been stolen. What would be the consequence? Or there is nothing to worry about?

The authority concerned
needs to come up with some program to address the issue.

Now, the U.S. officials have blamed Chinese government
hackers without any evidence. China has also denied to have any involvement in
the breach.

The OPM has said that the federal experts believe there is
low chance of fingerprints being misused. However, there is a possibility that future
technologies could take advantage of this information.

The OPM had earlier confirmed that the number of people was
1.1 million only. However, the number has now increased to 5.6 million.

“The fact that the number [of fingerprints breached] just
increased by a factor of five is pretty mind-boggling,” Joseph Lorenzo Hall,
the chief technologist at the Center for Democracy & Technology, told Boing
Boing. “I’m surprised they didn't have structures in place to determine the
number of fingerprints compromised earlier during the investigation.”

Not only the fingerprints, it is said that about 21.5
million individuals had their Social Security Numbers and other sensitive
information affected by the hack.

As per the OPM, now, Department of Homeland Security and Defense
Department representatives are planning to review the implications of the
stolen fingerprint data.

SEC had charged the two to have traded on information from
illegally obtained news releases.

The company had
become the first of 34 defendants to settle SEC charges over allegations of theft
of more than 150,000 press releases from Newswire before the news became
public.

Traders would sometimes create what prosecutors called
“shopping lists” of companies that were expected to make announcements and pass
them on to hackers.

The illegal profit generated by traders over a period of
five years is estimated to be around $ 100 million while Jaspen and Supranonok
made approximately $25 million buying and selling contracts-for-differences
(CFDs), which are derivatives allowing for leveraged stock price bets, to trade
from 2010-2015 trading on press releases stolen from newswire service.

The case was filed in U.S. District Court for the District
of New Jersey, which entered an asset freeze and other emergency relief against
Jaspen and Supranonok, among others. Nine
of the defendants also face criminal charges, though Jaspen and Supranonok were
not criminally charged.

Without admitting or denying the SEC’s allegations, the two defendants
agreed to transfer $30 million of ill-gotten gains from the accounts which were
frozen a month ago.

"Today's settlement demonstrates that even those beyond
our borders who trade on stolen nonpublic information and use complex
instruments in an attempt to avoid detection will ultimately be caught,” said SEC
enforcement chief, Andrew Ceresney.

The settlement between Jaspen and Mr. Supranonok must be
approved by a court.

The SEC said its civil case will continue against the other
32 defendants.